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DETAILED ACTION 

1 . This is in response to the election to restriction filed on January 9 th , 2009. Claims 1-13, 
21-30, 32 and 33 are pending and have been considered below. 

Election/Restrictions 

2. Applicant's election without traverse of Species I, Claims 1-13, in the reply filed on 
January 9 th , 2009 is acknowledged. 

Claim Rejections - 35 USC § 112 

3. The following is a quotation of the second paragraph of 35 U.S.C. 112: 

The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the 
subject matter which the applicant regards as his invention. 

4. Claim 7 is rejected under 35 U.S.C. 1 12, second paragraph, as being indefinite for failing 
to particularly point out and distinctly claim the subject matter which applicant regards as the 
invention. 

5. Claim 7 recites the limitation "the requesting code" in line 2. There is insufficient 
antecedent basis for this limitation in the claim. 

6. The Examiner respectfully notes that the Applicant may have inadvertently failed to 
acknowledge this particular rejection in the remarks filed on September 19 th , 2008. 



Claim Rejections - 35 USC § 103 

7. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 
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(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

8. Claims 1-13 are rejected under 35 U.S.C. 103(a) as being unpatentable over Traw et 
aL (6,542,610) in view of Hiltunen et al. (2002/0091938) and further in view of Pevravian et 
aL (6,826,686). 

Claim 1: Traw et al. discloses a method for providing information that can be used to verify 
measurable aspects of a requesting computing system, the method comprising: 

a. determining that the providing computing system(Device A) is appropriately 
configured to issue challenges to components included in the requesting computing 
systsmfDevice B) and determining that the providing application is appropriately configured to 
issue challenges to the requesting instructionsfDev/ce A sends a challenge to Device B and 
compares the response to an expected value) [column 7, lines 16-41]; 

b. receiving a challenge initiated by the providing application based at least in part on the 
providing computing system and the providing application(/o//owmg successful completion of 
the preliminary authentication procedure, each device calculates and exchanges signed 
messages), the challenge including information indicating how the requesting computing system 
is to prove that the requesting computing system is appropriately configured to access a 
resourcefz'e. device certificates typically contain a description of the ciphers that are supported 
by the device and may specify a key length and type of cipher to use) [column 8, lines 33-39 | 
column 5, lines 1-10]; 

c. formulating proof, based on a measurable aspect of the requesting computing system's 
configuration, that the measurable aspect of the requesting computing system's configuration is 
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appropriate for accessing a resource(7e. formulating a response to a challenge with the 
appropriate key length and type of cipher as defined in the device certificate contained in the 
challenge) [column 5, lines 1-10]; 

d. and submitting an assertion that can be used to verify that the requesting computing 
system is appropriately configured to access a resource^/gwed messages) [column 8, lines 33- 
39]. 

Additionally, Traw et al. discloses that the challenge includes information^, device 
certificates, which are concatenated with a random challenge, provide information regarding the 
authentication) identifying authentication parameters^, determining what authentication level 
to employ and what cipher systems to use when encrypting the random challenge, etc.) [column 
5, lines 1-10 & column 8, lines 17-20], but does not explicitly disclose that the challenge 
includes information comprising at least the identity of a region within a portion of executable 
instructions at the requesting computing system computed from a first random value and a 
second random value, the portion of executable instructions used to determine a measurable 
aspect of a configuration. 

Nonetheless, Hiltunen et al. discloses a similar invention and further discloses 
authentication of at least a portion of executable instructionsfz'e. program code) by utilizing an 
identity of a portion of executable instructionsfze. location of the challenge is defined by the 
location algorithm), a random challenge and any common hashing algorithm, such as SHA-l(7e. 
a checksum is computed from the entire memory area), to generate a measurable aspect of a 
configuration^, compares the two checksums) [page 4, paragraphs 0037-0038]. 
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Furthermore, Peyravian et al. discloses a similar invention and further discloses a 
challenge which includes information comprising at least the identity of a requesting computing 
systemfz'e. authentication token is a hash of the digest, rc and rs) computed from a first random 
valuefze. Rc) and a second random valuef/e. Rs), used to determine a measurable aspect of a 
configuration^^, client generates a digest of the userid and password such that the digest is a 
hash of the userid and password) [column 3, lines 52-67]. 

Therefore, it would have been obvious to one of ordinary skill in the art at the time of 
invention to further modify the invention disclosed by Traw et al. with the features disclosed by 
Hiltunen et al. and Peyravian et al. in order to verify that particular software is an authorized 
version, as suggested by Hiltunen et al. [page 1, paragraph 0010], and to ensure freshness of the 
verification, as suggested by Peyravian et al. [column 3, lines 66-67]. 

Claim 3: Traw et al. , Hiltunen et al. and Peyravian et al. disclose a method as in claim 1 above, 
and Traw et al. further discloses that the act of determining that the providing application is 
appropriately configured to issue challenges to the 

requesting instructions comprises receiving proof that the providing application complies with 
one or more security and trust policies of the requesting computing systemfcompares data string 
to expected value to determine if devices can exchange protect content) [column 7, lines 16-41]. 
Claim 4: Traw et al. , Hiltunen et al. and Peyravian et al. disclose a method as in claim 1 above, 
and Traw et al. further discloses that receiving a challenge that was initiated by the providing 
application comprises receiving a request for proof of the vahiesfsigned message) of one or more 
measurable aspects of the requesting computer system(©evzce B transmits signed message to 
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Device A) [column 8, lines 33-39]. The examiner notes that the act of transmitting a proof value 

to Device A implies that Device B has accepted a request for a proof value. 

Claim 5: Traw et al , Hiltunen et al. and Peyravian et al. disclose a method as in claim 1 above, 

and Traw et al. further discloses that the submitted assertion includes the values of one or more 

measurable aspects of the requesting computer systemfsigned message contains random 

challenge and Diffie-Hellman key exchange value) [column 8, lines 33-39]. 

Claim 6: Traw et al. , Hiltunen et al. and Peyravian et al. disclose a method as in claim 1 above, 

and Hiltunen et al. further discloses that the submitted assertion indicates the identity of one or 

more portions of the requesting instructions [page 2, paragraph 0019]. 

Claim 7: Traw et al. , Hiltunen et al. and Peyravian et al. disclose a method as in claim 1 above, 
and Traw et al. further discloses that the submitted/received assertion indicates an execution 
environment^, if expected value not indicates a security threat on the system) [column 7, lines 
6-15]. 

Claim 8: Traw et al. discloses a method for verifying measurable aspects of the requesting 
computing system, the method comprising: 

a. proving that the providing computing system(©ev/ce A) is appropriately configured to 
issue challenges to components of the requesting computing system(Dev/ce B) (each device 
verifies that the appropriate response has been received) [column 7, lines 16-41]; 

b. causing a configuration challenge to be issued to the requesting instructions(/o//owmg 
successful completion of the preliminary authentication procedure, each device calculates and 
exchanges signed messages), the challenge including information indicating how the requesting 
computing system is to prove that the requesting computing system is appropriately configured 
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to access a resource(7e. device certificates typically contain a description of the ciphers that are 
supported by the device and may specify a key length and type of cipher to use) [column 8, lines 
33-39 | column 5, lines 1-10]; 

c. receiving an assertion that can be used to verify that the requesting instructions are 
configured appropriately for interacting with the providing applicationfsz'gweJ messages), the 
assertion including information based at least in part upon both a measurable aspect of the 
requesting system is configured and the information indicating how the requesting computing 
system is to prove that the requesting computing system is appropriately configuredf/e. 
formulating a response to a challenge with the appropriate key length and type of cipher as 
defined in the device certificate contained in the challenge) [column 8, lines 33-39 | column 5, 
lines 1-10]. 

Additionally, Traw et al. discloses that the challenge includes information^, device 
certificates, which are concatenated with a random challenge, provide information regarding the 
authentication) identifying authentication parametersf/e. determining what authentication level 
to employ and what cipher systems to use when encrypting the random challenge, etc.) [column 
5, lines 1-10 & column 8, lines 17-20], but does not explicitly disclose that the challenge 
includes information comprising at least the identity of a region within a portion of instructions 
at the requesting computing system computed from a first random value and a second random 
value. 

Nonetheless, Hiltunen et al. discloses a similar invention and further discloses 
authentication of at least a portion of executable instructionsfz'e. program code) by utilizing an 
identity of a portion of executable instructionsfze. location of the challenge is defined by the 
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location algorithm), a random challenge and any common hashing algorithm, such as SHA-l(7e. 
a checksum is computed from the entire memory area), to generate a measurable aspect of a 
configuration^^, compares the two checksums) [page 4, paragraphs 0037-0038]. 

Furthermore, Peyravian et al. discloses a similar invention and further discloses a 
challenge which includes information comprising at least the identity of a requesting computing 
systemfz'e. authentication token is a hash of the digest, rc and rs) computed from a first random 
valuefz'e. Rc) and a second random value(7e. Rs), used to determine a measurable aspect of a 
configuration^^, client generates a digest of the userid and password such that the digest is a 
hash of the userid and password) [column 3, lines 52-67]. 

Therefore, it would have been obvious to one of ordinary skill in the art at the time of 
invention to further modify the invention disclosed by Traw et al. with the features disclosed by 
Hiltuncn ct al. and Peyravian et al. in order to verify that particular software is an authorized 
version, as suggested by Hiltunen et al. [page 1, paragraph 0010], and to ensure freshness of the 
verification, as suggested by Peyravian et al. [column 3, lines 66-67]. 

Claim 10: Traw et al , Hiltunen et al. and Peyravian et al. disclose a method as in claim 8 above, 
and Traw et al. further discloses that the act of proving that the providing application is 
appropriately configured to issue challenges to the requesting instructions comprises an act of 
sending prooffJata string) that the providing application complies with one or more security and 
trust policies of the requesting computing system(compares data string to expected value to 
determine if devices can exchange protect content) [column 7, lines 16-41]. 
Claim 11: Traw et al , Hiltunen et al. and Peyravian et al. disclose a method as in claim 8 above, 
and Traw et al. further discloses that causing a challenge to be issued to the requesting 
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computing system comprises an act of requesting proof of the values of one or more measurable 
aspects of the requesting computer system(signed message contains random challenge and 
Diffie-Hellman key exchange value) [column 8, lines 33-39]. 

Claim 12: Traw et al , Hiltunen et al. and Peyravian et al. disclose a method as in claim 8 above, 
and Hiltunen et al. further discloses that the received assertion indicates the identity of one or 
more portions of the requesting instructions [page 2, paragraph 0019]. 

Claim 13: Traw et al. , Hiltunen et al. and Peyravian et al. disclose a method as in claim 8 above, 



and Traw et al. further discloses that the submitted/received assertion indicates an execution 
environment^, if expected value not indicates a security threat on the system) [column 7, lines 



Claims 2 and 9: Traw ct al. , Hiltunen et al. and Peyravian et al. disclose a method as in claims 1 



and 8 above, but does not explicitly disclose determining that the providing computing system is 
appropriately configured to issue challenges to components included in the requesting computing 
system comprises an act of establishing an SSL connection between the requesting computing 
system and the providing computer system. However, it would have been obvious to one of 
ordinary skill in the art at the time of invention to employ an SSL connection or any other form 
of secure connection between two computers when transmitting sensitive data across a network. 
One would have been motivated to do so in order to increase the integrity of the system. 



6-15]. 



Response to Arguments 

9. Applicant's arguments with respect to claim 1 have been considered but are moot in view 
of the new ground(s) of rejection. 
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Conclusion 

10. The prior art made of record and not relied upon is considered pertinent to applicant's 
disclosure. Cuccia et al. (6,151,676). 

1 1 . Applicant's amendment necessitated the new ground(s) of rejection presented in this 
Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). 
Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within TWO 
MONTHS of the mailing date of this final action and the advisory action is not mailed until after 
the end of the THREE-MONTH shortened statutory period, then the shortened statutory period 
will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 
CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, 
however, will the statutory period for reply expire later than SIX MONTHS from the date of this 
final action. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to EDWARD ZEE whose telephone number is (571)270-1686. The 
examiner can normally be reached on Monday through Thursday 9:00AM-5 :00PM EST. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Kim Y. Vu can be reached on (571) 272-3859. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would 
like assistance from a USPTO Customer Service Representative or access to the automated 
information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

EZ 

March 12, 2009 
/Kimyen Vu/ 

Supervisory Patent Examiner, Art Unit 2435 



